ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
ROM-RSA, Rabin, Diffie-Hellman, El Gamal, andDiscrete Logarithms
Douglas WikstromKTH [email protected]
February 18
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
ROM-RSA
Rabin
Diffie-Hellman
El Gamal
Discrete Logarithms
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
The RSA Assumption
Definition. The RSA assumption states that if:
1. N = pq factors into two randomly chosen primes p and q ofthe same bit-size,
2. e is in Z∗
φ(N),
3. m is randomly chosen in Z∗
N ,
then for every polynomial time algorithm A
Pr[A(N, e,me mod N) = m]
is negligible.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Semantically Secure ROM-RSA (1/2)
Suppose that f : {0, 1}n → {0, 1}n is a randomly chosen function(a random oracle).
◮ Key Generation. Choose a random RSA key pair((N, e), (p, q, d)), with log2 N = n.
◮ Encryption. Encrypt a plaintext m ∈ {0, 1}n by choosingr ∈ Z
∗
N randomly and computing
(u, v) = (r e mod N, f (r)⊕m) .
◮ Decryption. Decrypt a ciphertext (u, v) by
m = v ⊕ f (ud) .
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Semantically Secure RSA in the ROM (2/2)
◮ We increase the ciphertext size by a factor of two.
◮ Our analysis is in the random oracle model, which isunsound!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Semantically Secure RSA in the ROM (2/2)
◮ We increase the ciphertext size by a factor of two.
◮ Our analysis is in the random oracle model, which isunsound!
Solutions.
◮ Using a “optimal” padding the first problem can be reduced.See standard OAEP+.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Semantically Secure RSA in the ROM (2/2)
◮ We increase the ciphertext size by a factor of two.
◮ Our analysis is in the random oracle model, which isunsound!
Solutions.
◮ Using a “optimal” padding the first problem can be reduced.See standard OAEP+.
◮ Using a scheme with much lower rate, the second problem canbe removed.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Semantically Secure RSA in the ROM (2/2)
◮ We increase the ciphertext size by a factor of two.
◮ Our analysis is in the random oracle model, which isunsound!
Solutions.
◮ Using a “optimal” padding the first problem can be reduced.See standard OAEP+.
◮ Using a scheme with much lower rate, the second problem canbe removed.
◮ If the key of an ideal cipher is encrypted, then we can avoidthe ROM and still have “optimal padding”
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Rabin’s Cryptosystem (1/3)
Key Generation.
◮ Choose n-bit primes p and q such that p, q = 3 mod 4randomly and define N = pq.
◮ Output the key pair (N, (p, q)), where (N, e) is the public keyand (p, q) is the secret key.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Rabin’s Cryptosystem (2/3)
Encryption. Encrypt a plaintext m by computing
c = m2 mod N .
Decryption. Decrypt a ciphertext c by computing
m =√
c mod N .
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Rabin’s Cryptosystem (2/3)
Encryption. Encrypt a plaintext m by computing
c = m2 mod N .
Decryption. Decrypt a ciphertext c by computing
m =√
c mod N .
There are four roots, so which one should be used!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Rabin’s Cryptosystem (3/3)
Suppose y is a quadratic residue modulo p.
(
±y (p+1)/4)2
= y (p+1)/2 mod p
= y (p−1)/2y mod p
=
(
y
p
)
y
= y mod p
In Rabin’s cryptosystem:
◮ Find roots for yp = y mod p and yq = y mod q.
◮ Combine roots to get the four roots modulo N. Choose the“right” root and output the plaintext.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Security of Rabin’s Cryptosystem
Theorem. Breaking Rabin’s cryptosystem is equivalent tofactoring (provided we do not derandomize decryption!).
Idea.
1. Choose random element r .
2. Hand r2 mod N to adversary.
3. Consider outputs r ′ from the adversary such that(r ′)2 = r2 mod N. Then r ′ 6= ±r mod N, with probability1/2, in which case gcd(r ′ − r ,N) gives a factor of N.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
A Goldwasser-Micali Variant of Rabin
Theorem [CG98]. If factoring is hard and r is a random quadraticresidue modulo N, then for every polynomial time algorithm A
Pr[A(N, r2 mod N) = lsb(r)]
is negligible.
◮ Encryption. Encrypt a plaintext m ∈ {0, 1} by choosing arandom quadratic residue r modulo N and computing
(u, v) = (r2 mod N, lsb(r)⊕m) .
◮ Decryption. Decrypt a ciphertext (u, v) by
m = v ⊕ lsb(√
u) where√
u is a quadratic residue .
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Diffie-Hellman Key Exchange (1/3)
Diffie and Hellman asked themselves:
How can two parties efficiently agree on a secret key using onlypublic communication?
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Diffie-Hellman Key Exchange (2/3)
Construction.Let G be a cyclic group of order q with generator g .
1. ◮ Alice picks a ∈ Zq randomly, computes ya = g a and hands ya
to Bob.
◮ Bob picks b ∈ Zq randomly, computes yb = gb and hands yb
to Alice.
2. ◮ Alice computes k = yab .
◮ Bob computes k = yba .
3. The joint secret key is k.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Diffie-Hellman Key Exchange (3/3)
Problems.
◮ Susceptible to man-in-the-middle attack withoutauthentication.
◮ How do we map a random element k ∈ G to a randomsymmetric key in {0, 1}n?
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
The El Gamal Cryptosystem (1/2)
Definition. Let G be a cyclic group of order q with generator g .
◮ The key generation algorithm chooses a random elementx ∈ Zq as the private key and defines the public key as
y = gx .
◮ The encryption algorithm takes a message m ∈ G and thepublic key y , chooses r ∈ Zq, and outputs the pair
(u, v) = Ey (m, r) = (g r , y rm) .
◮ The decryption algorithm takes a ciphertext (u, v) and thesecret key and outputs
m = Dx(u, v) = vu−x .
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
The El Gamal Cryptosystem (2/2)
◮ El Gamal is essentially Diffie-Hellman + OTP.
◮ Homomorphic property (with public key y)
Ey (m0, r0)Ey (m1, r1) = Ey (m0m1, r0 + r1) .
This property is very important in the construction ofcryptographic protocols!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm (1/2)
Definition. Let G be a cyclic group of order q and let g be agenerator G . The discrete logarithm of y ∈ G in the basis g
(written logg y) is defined as the unique x ∈ {0, 1, . . . , q − 1} suchthat
y = gx .
Compare with a “normal” logarithm! (ln y = x iff y = ex )
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm (2/2)
Example. 7 is a generator of Z12 additively, since gcd(7, 12) = 1.
What is log7 3?
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm (2/2)
Example. 7 is a generator of Z12 additively, since gcd(7, 12) = 1.
What is log7 3? (9 · 7 = 63 = 3 mod 12, so log7 3 = 9)
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm (2/2)
Example. 7 is a generator of Z12 additively, since gcd(7, 12) = 1.
What is log7 3? (9 · 7 = 63 = 3 mod 12, so log7 3 = 9)
Example. 7 is a generator of Z∗
13.
What is log7 9?
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm (2/2)
Example. 7 is a generator of Z12 additively, since gcd(7, 12) = 1.
What is log7 3? (9 · 7 = 63 = 3 mod 12, so log7 3 = 9)
Example. 7 is a generator of Z∗
13.
What is log7 9? (74 = 9 mod 13, so log7 9 = 4)
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm Assumption
Let Gqn be a cyclic group of prime order qn such that ⌊log2 qn⌋ = n
for n = 2, 3, 4, . . ., and denote the family {Gqn}n∈N by G .
Definition. The Discrete Logarithm Assumption (DLA) in G
states that if generators gn and yn of G qn are randomly chosen,then for every polynomial time algorithm A
Pr[
A(gn, yn) = loggnyn
]
is negligible.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Discrete Logarithm Assumption
Let Gqn be a cyclic group of prime order qn such that ⌊log2 qn⌋ = n
for n = 2, 3, 4, . . ., and denote the family {Gqn}n∈N by G .
Definition. The Discrete Logarithm Assumption (DLA) in G
states that if generators g and y of G are randomly chosen, thenfor every polynomial time algorithm A
Pr[
A(g , y) = logg y]
is negligible.
We usually remove the indices from our notation!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Diffie-Hellman Assumption
Definition. Let g be a generator of G . The Diffie-HellmanAssumption (DHA) in G states that if a, b ∈ Zq are randomlychosen, then for every polynomial time algorithm A
Pr[
A(ga, gb) = gab]
is negligible.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Decision Diffie-Hellman Assumption
Definition. Let g be a generator of G . The DecisionDiffie-Hellman Assumption (DDHA) in G states that ifa, b, c ∈ Zq are randomly chosen, then for every polynomial timealgorithm A
∣
∣
∣Pr
[
A(ga, gb, gab) = 1]
− Pr[
A(ga, gb, g c ) = 1]∣
∣
∣
is negligible.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Relating DL Assumptions
◮ Computing discrete logarithms is at least as hard ascomputing a Diffie-Hellman element gab from ga and gb.
◮ Computing a Diffie-Hellman element gab from ga and gb is atleast as hard as distinguishing a Diffie-Hellman triple(ga, gb, gab) from a random triple (ga, gb, g c ).
◮ In most groups where the DLA is conjectured, DHA andDDHA are conjectured as well.
◮ There exists special elliptic curves where DDHA is easy, butDHA is conjectured!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Security of El Gamal
◮ Finding the secret key is equivalent to DLA.
◮ Finding the plaintext from the ciphertext and the public keyand is equivalent to DHA.
◮ The semantic security of El Gamal is equivalent to DDHA.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Brute Force and Shank’s
Let G be a cyclic group of order q and g a generator. We wish tocompute logg y .
◮ Brute Force. O(q)
◮ Shanks. Time and SpaceO(√
q)
.
1. Set z = gm.
2. Compute z i for 0 ≤ i ≤ q/m.
3. Find 0 ≤ j ≤ m and 0 ≤ i ≤ q/m such that yg j = z i andoutput x = mi − j .
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Pollard-ρ (1/2)
Partition G into S1, S2, and S3 “randomly”.
◮ Generate “random” sequence α0, α1, α2 . . .
α0 = g
αi =
αi−1g if αi−1 ∈ S1
α2i−1 if αi−1 ∈ S2
αi−1y if αi−1 ∈ S3
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Pollard-ρ (1/2)
Partition G into S1, S2, and S3 “randomly”.
◮ Generate “random” sequence α0, α1, α2 . . .
α0 = g
αi =
αi−1g if αi−1 ∈ S1
α2i−1 if αi−1 ∈ S2
αi−1y if αi−1 ∈ S3
◮ Each αi = gai ybi , where ai , bi ∈ Zq are known!
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Pollard-ρ (1/2)
Partition G into S1, S2, and S3 “randomly”.
◮ Generate “random” sequence α0, α1, α2 . . .
α0 = g
αi =
αi−1g if αi−1 ∈ S1
α2i−1 if αi−1 ∈ S2
αi−1y if αi−1 ∈ S3
◮ Each αi = gai ybi , where ai , bi ∈ Zq are known!
◮ If αi = αj and (ai , bi ) 6= (aj , bj) then y = g (ai−aj)(bj−bi )−1
.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Pollard-ρ (2/2)
◮ If αi = αj , then αi+1 = αj+1.
◮ The sequence α0, α1, α2, . . . is “essentially random”.
◮ The Birthday bound implies that the expected running time isO(√
q).
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
1. Choose sj ∈ Zq randomly and attempt to factor g sj =∏
i pej,i
i
as an integer.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
1. Choose sj ∈ Zq randomly and attempt to factor g sj =∏
i pej,i
i
as an integer.2. If g sj factored in B and ej = (ej,1, . . . , ej,B ) is linearly
independent of e1, . . . , ej−1, then j ← j + 1.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
1. Choose sj ∈ Zq randomly and attempt to factor g sj =∏
i pej,i
i
as an integer.2. If g sj factored in B and ej = (ej,1, . . . , ej,B ) is linearly
independent of e1, . . . , ej−1, then j ← j + 1.3. If j < B, then go to (1)
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Index Calculus
◮ Let B = {p1, . . . , pB} be a set of small prime integers.
◮ Compute ai = logg pi for all pi ∈ B.
◮ Repeat:
1. Choose s ∈ Zq randomly.2. Attempt to factor yg s =
∏
i pei
i as an integer.3. If a factorization is found, then output (
∑
i aiei − s) mod q.
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Example Groups
◮ Zn additively?
DD2448 Foundations of Cryptography Febrary 18, 2010
ROM-RSA Rabin Diffie-Hellman El Gamal Discrete Logarithms
Example Groups
◮ Zn additively? ((logg y)g = y mod n, sologg y = yg−1 mod n) Bad for crypto!
◮ Large prime order subgroup of Z∗
p with p prime. In particularp = 2q + 1 with q prime.
◮ Large prime order subgroup of GF∗
pk .
◮ “Carefully chosen” elliptic curve group.
DD2448 Foundations of Cryptography Febrary 18, 2010